Security vulnerabilities pose a risk to any organization, as attackers can take advantage of them to launch malware, infiltrate networks and compromise sensitive data. But hospitals and healthcare facilities are especially at risk as a single exploit can impact medical devices, health records and even the lives of patients. A recent report from security firm Cyber Security Works looks at how security flaws can be weaponized to attack healthcare organizations.
To generate its report titled 43 Weaponized CVEs in Healthcare Products Threaten Patient Care, CSW analyzed 56 different vendors and 846 products overall. Ultimately, 624 vulnerabilities were discovered and identified.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
A full 43 of the vulnerabilities could be exploited in everyday healthcare products used to deliver patient care. The exploits for these 43 are either publicly available or are actively being targeted by attackers, creating risks for healthcare companies that fail to patch them.
Another four of the security flaws were found in three different Oracle products and have been previously exploited by Advanced Persistent Threat Groups, specifically by APT1, aka the BrownFox gang, a Chinese-sponsored group that’s been around since 2006. The four vulnerabilities are CVE-2020-11022, CVE-2020-11023, CVE-2015-9251 and CVE-2019-11358.
Two of the vulnerabilities are associated with ransomware attacks. One of the vulnerabilities, CVE-2020-0601, was found in a product from Biomerieux, a French biotechnology company. This one points to BigBossHorse, a ransomware that runs on Windows and spoofs code-signing certificates.
The other vulnerability, CVE-2021-34527, was seen in five different products from Stryker, a manufacturer of navigation platforms used in surgery. The products in question contain the infamous PrintNightmare flaw. An attack against any of these five devices could impact an actual surgery.
Other vulnerabilities seen by CSW pose their own risks. Some 12 of them have been hot topics on the Dark Web, with multiple posts discussing them, a sign that they’re ripe for exploitation among attackers. Six of the vulnerabilities were found in healthcare products and medical devices that could cause patient fatality or disability. Eight of the flaws fall under the category of remote code execution, meaning that attackers can remotely connect to a compromised system to control or change its behavior.
Attackers who exploit security flaws against healthcare facilities can put patients in jeopardy. In January of 2021, McAfee discovered a vulnerability in infusion pumps made by medical device company B. Braun that, if exploited, would have triggered an incorrect dosage of medication to a patient. And in 2019, a ransomware attack against Springhill Medical Center in the U.S. led to the death of an infant when the resulting network outage cut off staff from fetal heartbeat monitors.
How to protect yourself from these threats
How can healthcare providers better protect themselves from attackers who exploit security vulnerabilities? CSW offers the following recommendations:
Reduce the attack window by quickly addressing critical vulnerabilities
Cybercriminals are always eager to pounce on a security vulnerability as soon as it’s publicly known or available. That’s why healthcare organizations need to be proactive about monitoring for and patching security flaws before they can be widely exploited.
Combine Secure Access Service Edge solutions and biometric security
Secure Access Service Edge solutions are a mix of different cybersecurity tools, including secure remote access, on-premises security, secure cloud services and online resources. The goal is to help organizations devise the right strategy to securely manage and connect users and endpoints to any application or service. Biometric security is expected to play a bigger part in cybersecurity management by adding an extra level of protection.
Monitor electronic health record systems against exploitation
Sharing health records among doctors, hospitals and other providers, EHR systems can benefit both patients and healthcare facilities. But these systems have been increasingly targeted by attackers, requiring healthcare organizations to monitor them to ensure that patient details cannot be compromised.
Adopt multi-factor authentication
MFA adds another layer of protection beyond passwords alone. As such, healthcare providers should set up MFA systems to require physical hardware tokens or soft tokens such as passcodes or PINs before staff can gain access to sensitive patient data.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays